False Expectations And Consumerized Devices

Recently, there was a very public example of how not to do a tablet deployment. The Los Angeles Times reported that the Los Angeles Unified School District had been forced to suspend a program to provide iPads to students because several hundred students had figured out ways to remove security restrictions put in place by school administrators.

As it turned out, the LAUSD did not use sophisticated tools to manage their iPads. They merely used ActiveSync accounts, which students were able to “hack” by simply deleting them from their tablets. This allowed the students to gain control of their iOS devices and use them to stream music and visit social media sites. (The school district has since taken back all of the issued iPads.)

This incident highlights the many pitfalls of trying to deploy and manage mobile devices in any large, organized setting. A more sophisticated device management solution may have been needed, but it would have raised costs (both up-front and in the long term). So instead, they relied on a relatively simple and easy to maintain solution – which, unfortunately, was easily defeated. From a purely technical perspective, solutions for this problem were available, but were not chosen.

However, what’s more interesting – and what we can learn from – is the why. The technical issues can probably be resolved without too much difficulty. Why did students feel the need to hack their devices? One student said it best: they took the devices home and “they can’t do anything with them.”

Simply put, the students viewed these iPads as personal devices, with their data, and theirs to do as they wished. That, in and of itself, is a valuable lesson for enterprises trying to secure and protect their employee’s devices.

Despite the rise of consumerization, divisions should still exist between “personal” devices and “work” devices. Mobile device management attempts to bridge this divide, but it does add complexity and cost. Just as importantly, user mindsets about what’s “personal” and what’s “work” still exist. That means that corporate data can be placed at risk due to exposure on “personal” devices.

What might be more important than technical solutions is to change and understand mindsets. Part of the strategy for dealing with consumerization is the understanding that “work” information on “personal” devices means that behavior has to change, too. You can’t, say, hand off a tablet with your work email to your child to play Candy Crush – that would just be silly. Employees have to understand that more than technical limits, behavioral limits apply, too.

Conversely, enterprises have to understand that imposed limits on “personal” devices have to be reasonable. Here, the limits were so strict that students had plenty of motivation to go around them. Enterprises have to be careful that their own limits aren’t similarly evaded – either by either “hacking” authorized devices or just using unauthorized ones.

In dealing with consumerization, we’ve always said it was important to have a strategy. Obviously, different organizations will have different strategies depending on their needs, capabilities, and potential threats. What this incident teaches us is that in order for that strategy has to be sensible, reasonable, and perhaps most of all: enforceable.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.